Mozilla Foundation Security Advisory 2008-08

File action dialog tampering

Announced

February 7, 2008

Reporter

Michal Zalewski

Impact

Moderate

Products

Firefox

Fixed in

Firefox 2.0.0.12

Description

Security researcher Michal Zalewski demonstrated
that timer-enabled security dialogs can be subverted by attackers using
JavaScript to change the window focus. Zalewski showed that a user
could be tricked into confirming a security dialog of this type by
bringing the dialog back into focus right before a user clicked in
a predictable time and place.

Workaround

Disable JavaScript until a version containing these fixes can be installed.